What is meant by the terms “data protection” and “data security”? Are you aware of the differences? We will tell you one thing right from the start: “data protection” and “data security” do not mean the same thing, even though they have the common root “data”. Therefore, these terms should not be used synonymously. Why is that? Keep reading to find out.
Differences between data protection and data security
So what exactly are the differences between data protection and data security, even though they sound so similar? Unfortunately, there is no standard definition for the terms, and the differences cannot be derived from the words “data protection” and “data security” either.
We will first start with what is meant by “data protection” because this is also important for understanding data security because data security is a component of data protection.
What does “data protection” mean?
Explanation of data protection
Data protection is about protecting individuals whose personal data is processed, e.g. stored, by a company or local government. Personal data can be any information about a person that can directly or indirectly identify that person. Personal data includes names, addresses, occupations, education or account numbers, health data, political opinions or information about religious affiliation. In short, data protection focuses on individuals. Individuals should be protected by data protection legislation from having their personal data processed arbitrarily by companies or other institutions. Individuals should retain control over their data and not become “transparent individuals”.
Legal framework for data protection
In the UK, data protection is governed by the Data Protection Act 2018 (DPA 2018), which incorporates the General Data Protection Regulation (GDPR). The GDPR sets rules for handling personal data, enforced by the Information Commissioner’s Office (ICO). Key aspects include data protection principles, individual rights, and requirements for data transfers and breach notifications. Compliance is crucial to protect individuals’ privacy and avoid penalties.
Key principles of data protection
To ensure that personal data is not processed arbitrarily by companies or other institutions, the GDPR regulates “whether” and “how” the data is to be processed. The decisive factor is that personal data may only be processed (“whether”) if a legal basis permits this or if the persons whose data are processed have given their consent, Art. 6 (1) GDPR, so-called “prohibition with reservation of consent”. In addition, the GDPR lays down certain principles on “how” personal data is to be processed, Art. 5 GDPR. For example, personal data may only be processed for purposes determined before the processing (e.g. fulfilment of a contract) and must be reduced to a minimum (e.g. no collection of personal data that are not necessary for the fulfilment of the contract). Furthermore, data processing must be transparent, meaning that individuals must be fully informed about the processing of their personal data so that they can understand or control the processing.
Summary on data protection
Data protection protects individuals from unlawful processing of their personal data. The legal regulations on data protection, particularly the GDPR, regulate “whether” and “how” personal data are processed.
Read more: Rules for the protection of personal data inside and outside the EU
What does “data security” mean?
Explanation of data security
“Data security” is a sub-area of “IT security” in addition to “information security”. In contrast to data protection, data security focuses on the data itself and not on persons. It also focuses not only on personal data but on data in general, which therefore also includes, for example, operational data (balance sheets, source code) that have no personal reference. Data security aims to protect data from threats through technical and/or organisational measures. Threats can be, for example, hacking, theft, malware or human error.
Legal framework for data security
Data security focuses on ensuring that technical and/or organisational measures are in place to protect data. There is no universally accepted law for any company with regard to data security. However, the GDPR stipulates in Art. 32 that technical and/or organisational measures must be used to protect personal data; Art. 32 of the GDPR also lists exemplary measures, such as encryption or pseudonymisation.
Additionally, for critical infrastructures, or “CRITIS” for short, such as for the healthcare, finance, food or energy sectors, there are special legal regulations regarding information security in general. The Information Security Act applies to the CRITIS. The law aims to ensure that the information technology systems of the CRITIS are made secure. In addition, companies or other institutions can be certified according to certain standards, e.g. ISO 27001. These standards contain certain regulations on how information security can be implemented theoretically and practically in a company or other institutions through technical and/or organisational measures.
Main protection goals of data security
The goal of data security is to ensure that data is protected at all times. Data security exists, among other things, when the three essential protection goals of “confidentiality”, “availability” and “integrity” are guaranteed or not compromised. Confidentiality is ensured when only authorised persons have access to the data; availability when the data is available to authorised persons at all times; integrity when the data is correct and complete.
Summary on data security
Data security protects data of any kind against loss, manipulation and other threats and can be achieved in particular by technical and/or organisational measures.
Conclusion on the differences between data protection and data security
It is important to note that although data protection and data security are not identical, data protection can also only be ensured through data security. After all, it is of no use if the personal data is processed lawfully but is not sufficiently protected from threats technically and/or organisationally.
Read more: Fortify Your Data Protection with Advanced Data Privacy Management Software
